CRITICALSecuritysmallPostgreSQL

Auth Users Table Exposed to API

The auth.users table is accessible through the API schema, leaking user data.

Why This Matters

Exposing auth.users through the API grants access to emails, metadata, and auth details of all users in the system.

Related Rules

RLS Disabled on Public Tables

Security

CRITICAL

Unindexed Foreign Keys

Performance

HIGH

Create Indexes Concurrently

Performance

HIGH

Add NOT NULL Constraint Safely

Performance

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

The auth.users table contains sensitive user data (emails, phone numbers, metadata, encrypted passwords). If this table is exposed in the API schema, any client can query it.

Detection

Splinter lint 0002 (auth_users_exposed) checks for this automatically.

SELECT EXISTS (
  SELECT 1 FROM information_schema.role_table_grants
  WHERE table_schema = 'auth'
    AND table_name = 'users'
    AND grantee = 'anon' OR grantee = 'authenticated'
);

Fix

Revoke direct access and create a safe public profile view instead:

REVOKE ALL ON auth.users FROM anon, authenticated;
 
-- Use a public.profile table instead
CREATE TABLE public.profile (
  id uuid PRIMARY KEY REFERENCES auth.users(id),
  display_name text,
  avatar_url text
);
ALTER TABLE public.profile ENABLE ROW LEVEL SECURITY;

Tools

Splinter lint 0002 (auth_users_exposed)

Auth Users Table Exposed to API

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Detection

Fix

Tools